NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-15(12)Minimize Personally Identifiable Information

Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Organizations can minimize the risk to an individual’s privacy by using techniques such as de-identification or synthetic data. Limiting the use of personally identifiable information in development and test environments helps reduce the level of privacy risk created by a system.

Practitioner Notes

Minimize the collection and use of personally identifiable information in the development process. Developers should not need access to real PII to do their work.

Example 1: Prohibit developers from using real PII in test data, debug logs, or development documentation. Establish synthetic data standards and provide developers with tools and libraries for generating realistic test data without real personal information.

Example 2: Configure your logging framework to automatically redact PII from log output. Instead of logging 'User John Smith (SSN: 123-45-6789) logged in,' the log should show 'User [REDACTED] (SSN: ***-**-6789) logged in.' Implement this at the framework level so individual developers do not have to remember to redact.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment